WordPress Plugin Vulnerabilities

Envira Photo Gallery < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS) Issue

Description

A stored XSS vulnerability exists in the version of the plugin 1.7.6. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary javascript code into the plugin gallery image which is viewed by other users.

Affects Plugins

Plugin icon
envira-gallery-lite
Fixed in 1.7.7

References

CVE
CVE-2020-9334

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Vishnupriya Ilango of Fortinet's FortiGuard Labs
Verified
No
WPVDB ID
5ee06ebc-ab9f-452d-b5df-df870fa9f038

Timeline

Publicly Published
2020-02-25 (about 6 years ago)
Added
2020-02-25 (about 6 years ago)
Last Updated
2020-12-11 (about 5 years ago)

Other

Published
Title
Published
2026-02-26
Title
List category posts < 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2014-08-01
Title
Nmedia MailChimp 3.1 - api_mailchimp/postToMailChimp.php abs_path Parameter XSS
Published
2025-04-01
Title
Sheet2Site <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-12
Title
WP 6.3-6.3.1 - Contributor+ Stored XSS via Footnotes Block
Published
2016-04-21
Title
Persian Woocommerce SMS <= 3.3.3 - Reflected Cross-Site Scripting (XSS)